Thank you Viktor for your reply!
On 20-05-2014 13:44, Viktor Dukhovni wrote:
On Tue, May 20, 2014 at 02:25:49PM +0200, Thomas Leuxner wrote:
In any case you miserably failed to elaborate how to mitigate
the issue other than stating 'revert the change'.
Without defending the tone of that advice, I'd like to affirm its
technical content. Receiving MTAs should not disable SSLv3, they
gain nothing by doing so, all that happens is that clients that
are only capable of SSLv3 are forced to send in the clear.
Even sending MTAs should not disable SSLv3, since it is possible
and normal to send all relevant TLSv1 and later extensions in SSLv3
HELLO messages (provided the client also offers to negotiate
TLSv1 or greater), they just get ignored by SSLv3-only servers.
Opportunistic TLS is sometimes counter-intuitive, attempting to
make it stronger by removing weaker features actually makes it
weaker. Don't give in to the urge to tweak TLS settings, they
are largely fine as they are.
Is it not true though that allowing weak features merely gives the
illusion of security?
It could be argued that a weak method is technically no better than no
encryption so removing the weak method just removes the illusion (which
some would say was a gain).
In an upcoming Postfix 2.12 snapshot, I will change the definition
of tls_export_cipherlist to by default exclude "EXPORT" and "LOW"
ciphers, you can achieve the same effect now by setting:
smtp_tls_exclude_ciphers = EXPORT, LOW
smtpd_tls_exclude_ciphers = EXPORT, LOW
The reason this is safe, is that fortunately there are no longer
any systems that are not capable of using one of the stronger
ciphersuites, at least RC4-128 or 3DES.
Most other "hardening" configuration changes are likely to reduce,
rather than improve SMTP transport security.
I've heard anecdotes of clients not using the best mutually supported
encryption and instead just using whatever's first in the list of
methods accepted by the server. I don't have anything to back this up
though. Ever heard of this? If this was true, then disabling weak
methods might be beneficial.
thanks again,
Colin
